Data breaches are no joke.
According to recent studies, WordPress accounted for 90 percent of all hacked sites in 2018. This seems like an unbelievably high figure, but if one considers the fact that WordPress powers about 30 percent of all websites, the problem of security goes beyond the vulnerability of the CMS.
WordPress developers did all they could to make sure that the platform is pretty secure out of the box, so one can’t really blame them for being vulnerable to hacking. In fact, many hackers succeeded in stealing data because of reasons like poor maintenance; for example, more than 36 percent of hacked WordPress websites had an outdated version of the CMS.
This suggests that website security is a long-term game and WordPress users should understand the importance of continuous maintenance. So, to minimize the possibility of data breaches and protect your online data, you must know how to do it on a regular basis.
We’ve compiled a list of nine solutions for avoiding data breaches for your WordPress website to get you started with web security.
1. Check Your Password
While this one seems pretty obvious, you won’t believe how many people make a mistake by using a weak password to protect the admin panel. Just listen to this: a recent survey carried out by the National Cyber Security in the UK (NCSC) revealed that “123456” was the most common hacked password with 23.2 million users. The second place belonged to “123456789,” which is also ridiculously easy to hack for cybercriminals. The list of other common hacked password also included “password” and “qwerty.”
This is to say that a lot of people don’t really have passwords that could be considered strong enough to protect them from having their personal data stolen.
“Using hard-to-guess passwords is a strong first step and we recommend combining three random but memorable words,” CNN quoted Ian Levy, NCSC’s technical director, as saying. “Be creative and use words memorable to you, so people can’t guess your password.”
This is exactly what you should do. The first step to ensuring the security of your WordPress website is to have a strong password, preferably one with a combination of digits, letters (both uppercase and lowercase), and, if possible, special characters.
If coming up with a password like that is a bit of a challenge, keep in mind that you can always use tools like Random Password Generator that create passwords according to your requirements.
2. Update. Seriously
As it was mentioned in the introduction, more than 36 percent of WordPress websites that have been hacked in 2018 had an outdated version of the platform. This shows that a lot of people ignore the importance of updating their websites, which is a risky decision since updates typically include the latest security solutions (in fact, some updates are released specifically to address security problems).
In addition to updating the CMS, you should also consider deleting outdated plugins as well as themes. If you’re worried about losing data if the update is unstable, just create a backup and you’ll be good to go.
3. Consider Installing Security Plugins
One reason why we love WordPress is the fact that you can install a lot of really useful plugins. Thankfully, many of these plugins can really enhance the security of your website, so installing the best ones is strongly recommended.
Some of the most popular ones with the best reputation include iThemes Security and Wordfence Security. The most useful features that you can employ to protect your website with these two plugins include:
- Two-factor authentication. This is one of the most secure forms of system authentication that was recently made mandatory by Google
- CAPTCHA login page for additional protection from bots
- Website check for security issues
- Security alerts; for example, the plugins can set you a notification in case if a plugin you’re using was abandoned or closed
- Password generator to ensure a reasonable complexity
- Password inspiration; with this feature, you can set a password inspiration date and force users to come up with new ones
- Malware scan scheduling to ensure that regular monitoring
- Content safety checker that scans articles, posts, and comments for potentially dangerous material such as spam
Like many other security plugins, these ones are updated on a regular basis, so don’t forget to update them, too.
4. Move Your Site from HTTP to HTTPS
Last year, Google Chrome started to mark all websites lacking an SSL certificate as insecure because of new security requirements – moving from HTTP to HTTPs, so you should also follow this advice to ensure maximum security. The new encryption method, HTTPS, secures the connection between an Internet user and your server, therefore it makes it more difficult for hackers to steal the data during the transfer.
Essentially, SSL (which, by the way, stands for Secure Sockets Layer) is defined as an online data security protocol between a website and a user designed to protect such data as payment details and login credentials.
Addition of the SSL certificate is required to move your WordPress website to HTTPS. To encourage website owners to complete the transfer, Google also announced that the websites that follow this practice will see a higher ranking in search results.
On top of that, having the “Not Secure” notification in the web address bar together with the name of the website may actually give many visitors a bad impression for your website and even convince them to leave.
So, here’s what you need to do to get an SSL certificate and complete the transfer to HTTPS.
First, you need to get the certificate from an appropriate Certificate Authority (CA), which vets your credentials against the encryption level and approves your request. Some of the most widely used CAs include GlobalSign and GoDaddy.
Second, once you’ve received your SSL certificate, you need to set up WordPress to use it as well as the HTTP protocol. The easiest way to do that is to use a special plugin like Really Simple SSL.
COPYRIGHT WARNING! IMAGE TAKEN FROM ANOTHER WEBSITE.
When activated, the plugin automatically checks the SSL certificate and configures the CMS to use HTTPS in URLs.
5. Limit Login Attempts
Even if a cybercriminal knows your email, hacking into your site still requires a lot of attempts. To stop a brute force attack as early as possible, you need to restrict the number of times someone can log in, therefore, try to crack your login data.
It’s very easy: just install the free plugin called Limit Login Attempts Reloaded, which blocks access to your website for IP addresses that exceed the number of attempts specified by the user. Also, you can also restrict the number of attempts to log in with authorization cookies. To prevent IPs from accessing your sites altogether, you can block them by adding to the blacklist.
You can change the plugin’s settings by going to Settings > Limit Login Attempts. There, you’ll also see the number of lockouts that occurred because of the plugin (these could be brute force attacks).
The plugin is currently active on 900,000+ websites, has a high rating, and is updated on a regular basis.
6. Hide wp_config.php File
Default WordPress setting have wp-config.php file sitting in the root directory of the CMS’s installation, which means that it’s accessible. Since this file contains key configuration information such as the system’s security keys and database connection details, protecting it by hiding in a non-www accessible directory is something you should consider.
Besides, it’s also very simple: just copy the content of the wp_config.php file into a different one and place the following code in the original one:
<?php
include(‘/home/yourname/wp-config.php’);
Be sure to add your data to the code in order for it to work properly.
7. Change File Permissions
Let’s get a little bit technical now. You probably know that all content, data, and information that your WordPress website has is stored in files and folders that have a simple hierarchical structure. To make sure that only appropriate users access them, permissions to edit and/or view are given.
The permission system uses numbers between 0 and 7 to indicate a certain level of user privileges:
0: a user doesn’t have access to the file
1: a user only has the right to execute the file
2: a user can edit the file
3: a user can both execute and edit the file
4: a user can only read the file
5: a user is given the permission to execute and read the file
6: a user is allowed to read and edit the file.
7: a user can perform all functions: reading, editing, and executing the file.
The permission is expressed in the three-number code. The first number indicates the permissions for the owner of a site, the second one identifies the rights of a group of members of the site, and the third one stands for all other users.
For example, if you give a certain file permission level of 730, this means the owner of the site can read, edit, and execute the file while the group of users can only execute and edit the file; lastly, everyone else can’t access it all.
According to WordPress developers, your best bet for permissions is to set files to 644 and folders to 755. This ensures that the primary user, the website owner, can access most of the data while others are given restricted access.
8. Keep an Eye on the Activity of Admins
This is a must option for WordPress websites with multiple users. If some of them engage in suspicious activity, you should know about it, and there’s a way for that. Many security plugins have the feature of tracking admin area activity, but if you’re looking for a dedicated solution, check out Simple History. It provides an easy-to-understand log of the activity listing all important events and changes happening of the site, including:
- activation and deactivation of plugins
- taxonomies
- addition, update, and deletion of attachments
- user profile activity
- failed login attempts (these could indicate a potential brute force attack)
- menu edits
- user logins
- option screens
- user data deletion requests.
9. Increase the Security of your Database
Securing your WordPress website through the database is crucial because it contains all your site’s data. There are a couple of ways you can go about that.
The first one is to change the database table prefix. The default WordPress installation has the wp-prefix and hackers know that, too, so they can launch a SQL injection attack. So, changing it to something like wpnew-, 40xw_, or mywp will increase the chances that a hacker will succeed in getting access to your database.
The second one is to change the name of the database. If your website is called BasketballHoops, then the default name is wp_basketballhoops. This obviously makes it easier for hackers to determine and access the details of the database, so coming up with a new name is strongly recommended.
Doing so it easy: log into your cPanel and find the phpAdmin option. Next, locate the database you want to be renamed, click on it, and select the “Operations” tab in the above menu. There, you’ll find an option of renaming the database (remember that you can use whatever comes to your mind as long as it’s numbers and letters).
Keep in mind that you’ll have to change the wp_config.php file after renaming the database. Once you find it, edit it, and click on “Edit” in the pop-up that appears. It’ll contain the code where you need to locate the following option:
(‘DB_NAME’, ‘your_db’);
Replace _db, which is the current database here, with the name you came up with, and save the file.
The last setting you need to do is to change the database user. Find MySQL Databases in cPanel, and click on the “Add a User to a Database” option. There, you should click on “Add,” and choose the new database from the drop-down menu.
Finish setting by selecting “All Privileges” on the next page and clicking on “Make Changes.” At that point, the only thing left is reactivating the plugins. Now, the name of your database is a lot harder for hackers to guess.
Make Protection a Continuous Process
Ignoring and underestimating the importance of protecting WordPress is a big reason why so many websites supported by this CMS are hacked. Hopefully, this guide will help you to improve the overall security of your WordPress site and reduce the risk of data breaches. Just remember that keeping it that way is a marathon, not a sprint, so make online security a long-term priority to ensure that all data is safe. Start by checking if your system is backed up and updated, and make sure that it stays that way.